Cyber Security: A Management Issue

In response to an unexpected career change in 2019, I decided to go back to University as a mature student and study full time for an MSc in Cyber Security at City, University of London. The year that followed was one of the most rewarding challenges of my professional life. The subject is incredibly exciting, combining technology with the very real world of hackers, and cyber-crime: Dark Nets and the Deep Web offer hints at secrets yet to be discovered; evil hacking groups match wits with the Cyber Defences of nations in a new cold (cyber)war. Cyber also has a strong subculture associated with it: the Guy Fawkes mask - made famous in the British graphic novel ‘V for Vendetta’; written by Alan Moore and illustrated by David Lloyd - is synonymous with hacking culture.

However there is a very real and very dark side associated with all of this: McAfee estimates that the costs of cyber crime now represent 1% of global GDP - a trillion dollar industry; up from $445Bn in 2014 (other sources put the current figure much higher). The very tangible effect of attacks such as that on the Colonial gas pipeline can be felt in the (fortunately temporary) loss of critical national infrastructure. At a more personal level, it is heart-breaking to see the damage from a ransomware attack sustained by a government organisation that exists to help people.?

For all organisations, the challenge is how to understand and assess the risks, and then how to protect against them.?Yet Cyber is not well understood, growing, as it has, out of the IT infrastructure that has traditionally been left with the ‘IT crowd’ to manage: as long as it works nobody cares about the how. In response to the growing threat, a multitude of companies have sprung up offering various services and products that are meant to protect: in 2019 the Wall Street Journal noted that there were over 3,500 cyber vendors plying their wares. Few of these products integrate together, resulting in an ever-increasing workload for security teams trying to make sense of what the various tools might tell them; if only they could interpret the deluge of data from the disparate sources. Pity the security professionals left trying to stitch together a workable security solution from the individual parts, hoping to make their organisations safe. As a director of the UK’s National Cyber Security Centre (NCSC) recently commented “…a lot of the industry operates in much the same way as medieval witchcraft: ‘buy my magical amulet and you’ll be fine.’”

The challenge to being safer for any organisation isn’t solely technical, it has to come from a proper understanding of an organisation’s business operations. Why: because that is where the vulnerabilities lie - hidden in forgotten, unpatched computers; a handoff between human operators that can be spoofed; an out of date operating systems that talks to the bank; or security CCTV monitors installed with their default passwords left unchanged. For management - and this is a management wide issue - they face four major challenges; what I like to refer to, in a nod to the drama of cyber’s subculture, as the 4 riders of the cyber apocalypse: ignorance, fear, management, and staff.

Let’s start with the first rider: ignorance. Look to online sources for help and you can find a lot of solid advice, including keeping your software patched and up to date, ensuring that 2-factor authentication is enabled for all logins, and that critical systems are backed up. But this assumes that the company knows what its IT assets are - its attack surface. The reality, especially for larger organisations, is that ignorance of the true scale of systems used - software and hardware - is a major issue. How well do you actually know what you are trying to protect - the data and associated systems, not to mention all the end user devices, and the myriad connections to the internet or other companies’ systems: figuring that out can be an enormous initiative all on its own. Then you have to analyse what the potential threats are, but again, this will only make sense if you have a firm understanding of the systems you are trying to protect. This is made more complex by the need to understand how the technology enables and interacts with business processes. Many successful cyber attacks have taken advantage of the way in which the tech is implemented: human interaction can provide opportunities for attackers to breach system defences that otherwise seem insurmountable. The BBC podcast ‘The Lazarus Project’ from 2021 describes a masterclass by North Korean hackers in how to hack on a complex scale, utilising both technology and an understanding of the underlying business operations. And if all of that wasn’t a big enough ask, the risk now extends through the technology supply chain: how secure are the companies that provide services to you? They can become an unwitting back door into your systems.

The second horseman is fear, and as one previous boss I had was fond of saying: fear leads to irrational behaviour. If the challenge of cyber creates a culture of fear in an organisation, the irrational will happen. Whether that’s implementing tools that aren’t properly understood, but it’s hoped will protect - those ‘magic amulets’ - or a culture of fear around screwing up, the end result will be a vulnerable organisation that doesn’t understand the risks inherent in its systems and operations. Fear can also incapacitate, nothing gets done because the task seems too complex – so what DO you do?

Our third horseman is management; or perhaps a better but less pithy term would be ‘management that doesn’t understand its role in security’. Every manager has a role to play: from the technology leads to the heads of Finance, HR, and Marketing. An understanding of how security works within each team has to be agreed and communicated across the whole company; management have a responsibility to ensure that the correct behaviours and awareness exist within their respective areas. It cannot be left to ‘the security guy’ in the corner, with the ‘hope’ that they are on top of it. As the saying goes: ‘hope is not a strategy’.

The final horseman is staff - employees in general. If they are ill prepared or unaware then they will become the weakest link. In a worst-case scenario, disgruntled (or desperate) employees could become an accomplice to an attack, accepting an offer from a hacker group for a percentage of whatever is extorted from the organisation post ransomware attack (and yes, hacker groups do indeed advertise for inside help). Employees who fear reporting incidents are likely to cover up the very issues the security team want to be alerted to. Part of the solution is ensuring that no single employee can do too much damage - limiting their ‘blast radius’ through ‘zero trust’ policies: employees should only be able to access / change what they need to - no more.

The four horsemen can be tamed to a large extent through good management; and it is that point more than any other that I want to make. Cyber security is fundamentally a management issue: the technology alone cannot and will not protect the organisation. Security has to fit into and be a part of normal business operations. You cannot protect what you don’t know, and you cannot protect yourself from threats you don’t understand. The only way to do address that is to open the conversation to a wider audience, involving the whole organisation - security has to be a group activity. Each team has a role to play - both implementing security, and communicating security. While the threat to an organisation may well be a hacker sitting in front of a bank of screens; securing the organisation requires pragmatic business skills, built on a firm understanding of the everyday business processes, as much as it does strong cyber know-how.

This article was first published in a slightly different format for a Blog under the title: The Four Horsemen of the Cyber Apocalypse · (digitalworksgroup.com) The version used in the blog was based on this, original version.